phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Swaroopa Kadam (JIRA)" <>
Subject [jira] [Updated] (PHOENIX-5393) Perform _HOST principal expansion for SPENGO QueryServer principal
Date Fri, 02 Aug 2019 16:02:00 GMT


Swaroopa Kadam updated PHOENIX-5393:
    Priority: Blocker  (was: Major)

> Perform _HOST principal expansion for SPENGO QueryServer principal
> ------------------------------------------------------------------
>                 Key: PHOENIX-5393
>                 URL:
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: István Tóth
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: queryserver-1.0.0, 4.14.3
>          Time Spent: 20m
>  Remaining Estimate: 0h
> [~stoty] found that we aren't doing {{_HOST}} expansion for PQS. We naturally get this
for the principal we use to talk to HBase (by virtue of using SecurityUtil/UGI to log in).
However, for SPNEGO, we're using the Avatica API to do this, so it doesn't do this "Hadoop-ism"
for us.
> We can use SecurityUtil to do it ourselves and then pass the correct hostname into the
Avatica {{HttpServer.Builder}} API.
> The error you get when {{_HOST}} is set is pretty obtuse on the server-side, including
to help the poor soul who ventures here with a similar error.
> {noformat}
> 2019-07-17 08:48:03,383 WARN
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument
(400) - Cannot find key of appropriate type to decrypt AP REP - DES3 CBC mode with SHA1-KD){noformat}
> We identified the problem by seeing, in {{}}
output, the following:
> {noformat}
> Looking for keys for: HTTP/_HOST@EXAMPLE.COM{noformat}
> At this point in the call, we should have had an expanded "instance" in the principal.

This message was sent by Atlassian JIRA

View raw message